A Pennsylvania Legal Ruling Means That a Company May be Liable for Not Protecting Employee Data

Great legal emphasis is placed on companies protecting their own interests and those of their customers by safeguarding data. We don’t hear as much about employee data—but that’s a situation that’s changing.

This year alone, at least 36 states and Puerto Rico introduced and/or considered more than 160 bills or resolutions related to cybersecurity. And businesses worldwide are stepping up to spend a projected $124 billion to protect their data in 2019.

Many of these important measures have one thing in common: they’re designed to protect the customer, the general public, and the company. But a decision in late 2018 by the Pennsylvania Supreme Court finally took a big step toward shoring up another target of cybercrime—employees.

Why this decision is significant

Dittman v. UPMC was a class action suit for negligence and breach of implied contract submitted in June 2014. It was filed by employee Barbara Dittman on behalf of herself and all employees of the University of Pittsburgh Medical Center (UPMC) and UPMC McKeesport.

The suit was a result of a breach which led to the theft of sensitive personal data on 62,000 employees including their names, addresses, social security numbers, birth dates, and bank account information. The victims claimed that cybercriminals then used the information to file fraudulent tax returns in their names.

The Supreme Court stated in the ruling that:

“…we hold that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet- [J-20-2018] – 2 accessible computer system.

We further hold that, under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”

What this means: It’s a significant decision marking the first time that protecting employees’ personal information has been classified as an employer’s affirmative, common-law duty. This precedent could cause firms across the country to reassess their current data protection and cybersecurity systems if there is an assumed legal duty to adequately protect the information of employees—as well as liability from failing to do enough.

What this could mean for your business

This ruling should be a big red flag for any employer not yet operating a comprehensive cybersecurity solution. Ultimately, UPMC data arguably wasn’t kept “safe” because there was no specific legal prohibition or against lax security or a specific contract that outlined the responsibility for protecting it. The medical center did fight the suit and for a time, and it looked like it was free of blame.

It was determined that under breach of implied contract conditions, however, that a written contract didn’t have to exist for the case to go forward and be successful. It was simple enough that the employer had failed on basic obligations.

The outcome of the case has certainly set a precedent that companies all over America should pay attention to. Ignorance of the law has never been defense and claiming ignorance of a cyber threat is no longer practical for Pennsylvania employers who may be held accountable for a breach.

The Pennsylvania ruling is still a little vague, however. It states that an employer is legally obligated to exercise “reasonable care” in employee data protection. It’s a term the ruling doesn’t define in detail and confusion may leave a business vulnerable to liability. That said, implementing cybersecurity best practices and documenting every step taken to safeguard data are the essences of showing “reasonable care.”

Take significant precautions with your employee data

Being an employer in the 21st century is a complex responsibility. Company data, client data, and now employee data can represent huge security threats and legal liabilities if not treated with the highest concern. Companies small and large are equally vulnerable to attacks in today’s cyber-threat landscape, and small to midsize companies especially may not have the resources to recover from the cost of a data breach.

97% of data loss is preventable if your data is protected where it is created, accessed, and stored. Let that positive figure be your company’s defining number in the years ahead—not the price tag of a lawsuit over failing to protect your employees.